Full Group Summary

The environments in which we all work have become more complicated
as the years have passed, and one of the outcomes is that they are far
more difficult to test for vulnerabilities. Since many years ago when
Dan Farmer and Wietse Venema wrote their seminal paper, "Improving the
security of your site by breaking into it," the process of security
testing has both improved and become more difficult.

Today, unlike when Farmer and Venema wrote their paper, we actively
invite strangers into our networks. Well, not exactly all the way in,
but far enough to cause concern if the perimeter is not very secure.
Never before has the notion of layered security been more important.

Recently, I performed some testing on a web application. I knew the
application had some holes, but my main concern was whether the holes
could be reached from an attacker's location, wherever that might be.
To do that, I needed to test vulnerabilities in the infrastructure.

The tools we looked at this month do exactly that: they enable
testing of the infrastructure. By that I mean the network and the
platforms on it. This introduces the concept of reachability. If
applications are exposed to the outside, simple vulnerabilities become
potential disasters. That means that the platforms they sit on and the
routes to those platforms must be protected. Sometimes that's easier to
talk about than it is to do.

That's where this month's products come into play. If the best you
can do is to monitor an application and its platform closely, it is
important to know what, exactly, you are monitoring for.

This month's crop of tools helps define the environment by
demonstrating vulnerabilities, confirming them, and helping you decide
their severity. With that in mind, you can consider credible threats
that play against those vulnerabilities. Vulnerability analysis, then,
becomes an important part of risk analysis. In fact, more and more SIMs
and SEMs are accepting vulnerability data.

Selecting toolsGenerally speaking, I favor a multi-step process for vulnerability
analysis. First, I want to get a good picture of the network
infrastructure I am going to analyze. This is an important first step
because I know that I am going to get some false positives and some
results that are not reasonable in terms of reachability of the target.
Some parts of the infrastructure are more sensitive than others. All of
these issues militate for understanding the test environment.

Next, I want to do a bit of reconnaissance. For that I want a good
vulnerability assessment tool. This gives me the lay of the land. If
there are too many high or critical vulnerabilities, this is where I
stop until they are fixed. If there are a lot of vulnerabilities, you
may be sure that penetration testing will succeed. You have learned
nothing.

Finally, I want to run a penetration test focusing on the results of
the vulnerability testing. A word about "ethical hacking" is in order
here. That's an oxymoron intended to give pen testers a marketing
mystique. There simply is no such thing given today's understanding of
hacking. What we are doing is penetration testing, the operative word
being "testing." That implies rigor, structure, planning, repeatability
and thoroughness. Hacking is none of those things. If you are not
performing your testing this way, you are wasting your time. The good
news is that today's crop of tools supports a professional approach to
vulnerability analysis.

So, what you want is a solid vulnerability assessment tool that
stays current with vulnerabilities and is fairly easy to use. Ease of
use offers the benefit of repeatability because you can perform a set
of tests, and the next time you want to perform the same tests you can
be pretty certain you're repeating your earlier tests. For that,
scripting is a must. Building scripts or macros aids the repeatability
process.

In addition, you want a penetration tool that can test a
vulnerability all the way to penetration. The best way to ensure this
is to be able to plant an agent on the target as a result of the
penetration that allows direct access to the target. Rarely do you find
both of these tools in the same product. However, there is a trend
toward this mix and, although there are very few today, I expect that
there will be a good deal more in the near future.